I've tried configuring sudo before, but I haven't had too much luck with it. How is it different from su -l -c "x"? It seems that via the configuration file, one can make it so a user can only have access to certain commands and more. I always thought of sudo as a way of one-lining a command as another user or group. Since distros like Ubuntu and Mint make it easy by essentially giving the main user easy access to root via a password, I'm not really sure what its intended use is.

How do I add a user to the sudo file, giving them rights to only run certain commands at root? I also don't want to open up any security holes.

Sudo has additional features beyond su's. In particular, once you have a user's password, you can run any command as that user. On the other hand, sudo can be configured so that the user invoking it can only run specific commands as some other user. This is possible because sudo doesn't require any authentication (other than perhaps confirming that you are you by typing your password — but that's subtly different from authenticating your user for a task).

You change the sudo configuration by running the visudo command as root (never edit the configuration directly). Make sure the environment variable EDITOR or VISUAL is set to your favorite editor or you may get an unfamiliar editor. The sudoers man page is a bit terse but has examples. To allow the user bob to run /bin/foo (with any number of arguments) and /bin/bar --safe (but not with any other argument) as root, use the following lines:

Whether sudo requires the root password or the root password depends on the configuration. It can be set up either way.
–
Jonathan M DavisApr 14 '11 at 0:41

3

@Tshepang Amen, brother. If I'd have to release the root password and explain the support techs about how to SU and not do /anything/ other than apache2ctl graceful I think I'd prefer to slit my wrists and get it over with.
–
ShadurApr 14 '11 at 4:33

The biggest difference is that with sudo you don't need the root password to run a command as root, as you would for su. You do need the root password to add someone to the sudoers file but thereafter that person can run all or some (if you've restricted it) as root without requiring a further password.

The other difference is, as you've noted, sudo allows a much finer control over exactly what commands can be run.

For details of the format of the sudoers file run man sudoers. You'll find examples there of allowing only certain commands to be run as root. The basic structure of each line is:

user_list host_list = cmd_list

cmd_list can include details of which user the real user is allowed to switch to. For instance, you might allow a webmaster to switch to wwwroot to restart apache but not to root. It can also include other options such as whether the users password is required before switching (this is the default).

An example line might be:

joe ALL=(ALL) ALL

which means: let joe run any command on any host as any user. A tighter line might be:

joe ALL=(operator) /usr/local/ops/

which means: let joe run any command in the /usr/local/ops directory as the user "operator".

There are lots of examples at the end of the sudoers man page.

You should edit /etc/sudoers with the command visudo. This checks that the file is legal and helps prevent you from accidently breaking it.

Whether or not a password is required when using sudo depends entirely on how the sudoers file is set up. It can be set up to require a password or set up to not require a password.
–
Jonathan M DavisApr 14 '11 at 0:40

In addition to the other answers, sudo provides logging facilities so you can keep track of what commands were run and by who. This isn't for security purposes since a malicious user who gets sudo access can wipe out the log. It is very useful though to figure out exactly what you or some other admin did bleary eyed at 2am last week.

It is for security purposes because sudo supports logging to the syslog which in any major setup concerned about security will be configured to log to a separate remote machine so that if a system is compromised the logs cannot be effected.
–
ArrowmasterApr 14 '11 at 10:09